CN109657479B - Data leakage prevention method and computer readable storage medium - Google Patents
Data leakage prevention method and computer readable storage medium Download PDFInfo
- Publication number
- CN109657479B CN109657479B CN201710939959.5A CN201710939959A CN109657479B CN 109657479 B CN109657479 B CN 109657479B CN 201710939959 A CN201710939959 A CN 201710939959A CN 109657479 B CN109657479 B CN 109657479B
- Authority
- CN
- China
- Prior art keywords
- data
- key
- mixed
- block
- ciphertext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
Abstract
The invention discloses a data leakage prevention method and a computer readable storage medium, wherein the method comprises the following steps: encrypting plaintext data to be encrypted by using an encryption key to obtain ciphertext data; obtaining a data block in a preset format according to the ciphertext data, and signing the data block by using a trusted starting private key to obtain signature data; obtaining mixed data according to the data block and the signature data; injecting an encryption key into the fuse region; after the safe operating system is started, configuring a safe storage area; the security operating system acquires the mixed data and uses the trusted boot public key to perform signature verification on the mixed data; if the verification is passed, obtaining an encryption key from the fuse area; and analyzing the mixed data, decrypting the ciphertext data in the data block of the mixed data by using the encryption key to obtain plaintext data, and storing the plaintext data in the safe storage area. The invention can effectively prevent the leakage of data from static storage to dynamic operation.
Description
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a data leakage prevention method and a computer-readable storage medium.
Background
The existing common FLASH has weak protection on data, the data stored in the FLASH can be easily copied through a tool, and if the data exists in a plaintext form, the data is leaked. If the special safe FLASH is used, the hardware cost is increased, and only data under the static condition is protected, the data loaded into the ordinary memory after the program runs can be snooped by a malicious program, so that the data leakage is caused.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: a data leakage prevention method and a computer-readable storage medium are provided, which can effectively prevent data leakage from static storage to dynamic operation.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows: a trustzone-based data leakage prevention method comprises the following steps:
encrypting plaintext data to be encrypted by using an encryption key to obtain ciphertext data;
obtaining a data block in a preset format according to the ciphertext data, and signing the data block by using a trusted starting private key to obtain signature data;
obtaining mixed data according to the data block and the signature data;
injecting the encryption key into a fuse area;
after the safe operating system is started, configuring a safe storage area;
the security operating system acquires the mixed data and uses a trusted starting public key to carry out signature verification on the mixed data;
if the verification is passed, obtaining an encryption key from the fuse area;
and analyzing the mixed data, decrypting the ciphertext data in the data block of the mixed data by using the encryption key to obtain plaintext data, and storing the plaintext data in the safe storage area.
The invention also relates to a computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps as described above.
The invention has the beneficial effects that: data to be protected is processed through a cryptographic technology to generate a formatted mixed data file, a part of common memory area is configured as a trusted area exclusive-sharing safe storage area through trustzone authority during operation, and the data is analyzed to the corresponding safe storage area through the cryptographic technology, so that a program in an untrusted environment cannot snoop the data of the safe memory, and only the data in the trustzone trusted environment can be indirectly requested to be used, and the data in the whole process cannot be leaked out. The invention can effectively prevent the data from leaking from static storage to dynamic operation under the condition of not using a special safe flash or a special safe RAM.
Drawings
FIG. 1 is a flow chart of a trustzone-based data leakage prevention method according to the present invention;
FIG. 2 is a flowchart of a method according to a first embodiment of the present invention;
FIG. 3 is a diagram illustrating an encryption process according to a second embodiment of the present invention;
FIG. 4 is a diagram illustrating a decryption process according to a second embodiment of the present invention;
FIG. 5 is a schematic diagram of a format of hybrid data according to a second embodiment of the present invention;
fig. 6 is a schematic diagram of a start-up process of an embedded device according to a third embodiment of the present invention.
Detailed Description
In order to explain technical contents, objects and effects of the present invention in detail, the following detailed description is given with reference to the accompanying drawings in conjunction with the embodiments.
The most key concept of the invention is as follows: the privacy and the integrity of static data are ensured through encryption and signature verification, and the data cannot be leaked through decryption in a trusted environment and storage in a secure memory after operation.
Referring to fig. 1, a trustzone-based data leakage prevention method includes:
encrypting plaintext data to be encrypted by using an encryption key to obtain ciphertext data;
obtaining a data block in a preset format according to the ciphertext data, and signing the data block by using a trusted starting private key to obtain signature data;
obtaining mixed data according to the data block and the signature data;
injecting the encryption key into a fuse area;
after the safe operating system is started, configuring a safe storage area;
the security operating system acquires the mixed data and uses a trusted starting public key to perform signature verification on the mixed data;
if the verification is passed, obtaining an encryption key from the fuse area;
and analyzing the mixed data, decrypting ciphertext data in a data block of the mixed data by using the encryption key to obtain plaintext data, and storing the plaintext data in the safe storage area.
From the above description, the beneficial effects of the present invention are: the method can effectively prevent the data from being leaked from static storage to dynamic operation under the condition of not using a special secure flash or a special secure RAM.
Further, the encryption key is used for encrypting plaintext data to be encrypted to obtain ciphertext data; obtaining a data block in a preset format according to the ciphertext data, and signing the data block by using a trusted starting private key to obtain signature data, wherein the steps of:
generating, by a random number generator, an encryption key, the encryption key comprising a first key and a second key;
encrypting plaintext data to be encrypted by using the first key to obtain ciphertext data;
encrypting the first key by using the second key to obtain an encrypted first key;
and synthesizing the ciphertext data and the encrypted first key according to a preset format to obtain a data block, and signing the data block by using a trusted boot private key to obtain signature data.
As can be seen from the above description, the data security is further ensured by performing encryption with a double key.
Further, the "injecting the encryption key into the fuse area" is specifically:
and injecting the second key into the fuse area through a key injection tool.
It can be known from the above description that the fuse area has the characteristic that the hardware cannot be tampered after burning, and the fuse area can be accessed and used only by the trustzone secure operating system, and cannot be accessed by the common operating system, thereby further ensuring the security of the encryption key.
Further, the secure storage area includes a first memory block and a second memory block;
the "obtain encryption key from fuse area; analyzing the mixed data, decrypting ciphertext data in a data block of the mixed data by using the encryption key to obtain plaintext data, and storing the plaintext data in the secure storage area specifically include:
the safety operating system acquires a second key from the fuse area;
analyzing the data block of the mixed data to obtain ciphertext data and an encrypted first key;
decrypting the encrypted first key by using the second key to obtain a first key, and storing the first key in a second memory block;
and decrypting the ciphertext data by using the first key to obtain plaintext data, and storing the plaintext data in a first memory block.
As can be seen from the above description, the plaintext data and the first key are both stored in the secure storage area, so as to ensure the security of the data and the key during operation.
Further, after the storing the plaintext data in the first memory block, the method further includes:
and emptying and releasing the second memory block.
According to the above description, after the ciphertext data is decrypted into plaintext data, the first key is not needed, so that the second memory block storing the first key can be emptied first and then released, and the space of the secure storage area is saved.
Further, after the "injecting the encryption key into the fuse region", the method further includes:
injecting a trusted boot public key into a fuse area through a key injection tool;
and storing the mixed data to a Flash area through a burning tool.
As can be seen from the above description, the trusted boot public key is also injected into the fuse area, so that the security of the trusted boot public key is ensured; the mixed data can be directly stored in a Flash area because the mixed data is encrypted.
Further, the step of acquiring, by the secure operating system, the mixed data and performing signature verification on the mixed data by using the trusted boot public key specifically includes:
the secure operating system acquires a trusted boot public key;
decrypting the signature data in the mixed data by using the trusted starting public key to obtain a first abstract;
performing abstract operation on the data blocks in the mixed data to obtain a second abstract value;
and if the first abstract value is consistent with the second abstract value, judging that the verification is passed.
As can be seen from the above description, by performing signature verification, the validity and integrity of the mixed data are ensured.
The invention also proposes a computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps as described above.
Example one
Referring to fig. 2, a first embodiment of the present invention is: a data leakage prevention method based on trustzone is based on hardware technologies such as an ARM trustzone hardware architecture, an OTP (one time programmable) fuse area and an on-chip non-tampered ROM (read only memory) area, the trustzone technology is a trusted area technology on an ARM processor, and hardware resources and software resources on the processor can be divided into two operating environments by the technology: trusted and untrusted environments. A secure operating system is run in a trusted environment, and a normal operating system is run in an untrusted environment.
The method comprises the following steps:
s1: encrypting plaintext data to be encrypted by using an encryption key to obtain ciphertext data;
s2: obtaining a data block in a preset format according to the ciphertext data, and signing the data block by using a trusted starting private key to obtain signature data; specifically, the data block is subjected to digest operation, and then a trusted boot private key is used to encrypt a digest value, so that signature data is obtained.
S3: obtaining mixed data according to the data block and the signature data; for example, synthesizing the data block and the signature data, i.e., obtaining the hybrid data.
S4: injecting the encryption key to a fuse area; specifically, injecting to the fuse region by a key injection tool; furthermore, the trusted boot public key is also injected into the fuse area through a key injection tool, and the mixed data can be stored into the Flash area through a burning tool.
The fuse area has the characteristic that hardware cannot be tampered after burning (the non-fuse area can be modified after burning, and the key stored in the non-fuse area can be replaced), and the fuse area can only be accessed and used by a trustzone security operating system generally, and the common operating system cannot access, so that the security of the encryption key is further ensured.
S5: after the safe operating system is started, configuring a safe storage area; specifically, trustzone may configure a certain address area to have a specific security access right through a TZASC (address space controller), so that a certain general memory area may be configured to be accessible only in a trusted environment and not accessible in an untrusted environment.
S6: and the safe operating system acquires the mixed data, performs signature verification on the mixed data by using the trusted starting public key, judges whether the mixed data passes the verification, executes the step S7 if the mixed data passes the verification, and does not analyze the mixed data if the mixed data fails the verification if the mixed data does not pass the verification.
Specifically, the secure operating system acquires a trusted boot public key from a fuse area and acquires mixed data from a Flash area; decrypting the signature data in the mixed data by using the trusted starting public key to obtain a first abstract; performing summary operation on the data blocks in the mixed data to obtain a second summary value; if the first abstract value is consistent with the second abstract value, the verification is judged to be passed, otherwise, the verification is judged not to be passed.
S7: obtaining an encryption key from a fuse area;
s8: and analyzing the mixed data, decrypting the ciphertext data in the data block of the mixed data by using the encryption key to obtain plaintext data, and storing the plaintext data in the safe storage area.
In the embodiment, by using the hardware characteristic of the ARM trustzone, the data leakage prevention method of the whole important data from static storage to dynamic operation can be realized by using the common flash and the common RAM without using the special secure flash or the special secure RAM. The protected data can be any data, such as a data encryption key for an insecure world, when the insecure world requests data encryption, a message is sent to the secure world through a command parameter, data encryption operation is carried out in the secure world, and a result is output to the insecure world, and the whole encryption process is processed in the secure world, so that the leakage of encryption key data is prevented.
Example two
The present embodiment is a further extension of the first embodiment, and in the present embodiment, the encryption key includes a first key and a second key.
Referring to fig. 3, for steps S1 to S3, a first key and a second key are generated by a random number generator at the PC, then the plaintext data to be encrypted is encrypted by using the first key to obtain ciphertext data, and the first key is encrypted by using the second key to obtain an encrypted first key; then, the ciphertext data and the encrypted first key are synthesized according to a preset format to obtain a data block, and the data block is signed by using a trusted starting private key to obtain signature data; and finally, obtaining mixed data according to the data block and the signature data. The mixed data is finally stored in the form of a binary file.
And S4, injecting the second secret key into an OTP (one time programmable) fuse area of the embedded device for storage through a secret key injection tool during production and manufacturing, and storing the mixed data into a corresponding area of Flash of the embedded device through a burning tool during production and manufacturing.
In this embodiment, the secure storage area in step S5 includes a first memory block and a second memory block.
Referring to fig. 4, for steps S6 to S8, the secure operating system obtains a trusted boot public key and a second key from the fuse area; firstly, performing signature verification on mixed data by using a trusted boot public key, analyzing a data block of the mixed data after the verification is passed, and obtaining ciphertext data and an encrypted first key; decrypting the encrypted first key by using a second key acquired from the fuse area to obtain a first key, and storing the first key in a second memory block; and decrypting the ciphertext data by using the first key obtained by decryption to obtain plaintext data, and storing the plaintext data in the first memory block.
Furthermore, after the ciphertext data is decrypted into plaintext data, the first key is not needed, so that the second memory block storing the first key can be emptied and then released.
Further, the encryption algorithm and the decryption algorithm may adopt an AES encryption and decryption algorithm.
Further, the format of the mixed data may be as shown in fig. 5, and includes file header information, a flag, data information, first key information, signature information, ciphertext data, first key ciphertext, and signature data.
The file header information field includes a magic number (a fixed digital constant) for identifying the file identity and a file version number. The flag field identifies whether the file includes a corresponding data block, the flag field in this embodiment includes a data placeholder, a first key placeholder, and a signature placeholder, and if the flag on the corresponding placeholder is turned on (for example, the corresponding bit position 1 is turned on), it indicates that a corresponding data block information data field exists next, for example, the data placeholder flag is turned on, the next field includes a data information field, and these three placeholder flags need to be turned on at present, so the next field includes the data information field, the first key information field, and the signature information field. The data information field includes a type indicating that the field corresponds to the contents of the following block, where the corresponding type is ciphertext data, an offset indicating an offset address of the block of ciphertext data with respect to the entire mixed data file, and a length indicating a length of the block of ciphertext data. The contents of the first key information and the signature information and the data information are similar and will not be described in detail here. That is, the data information, the first key information, and the signature information correspond to indexes of the ciphertext data, the first key ciphertext, and the signature data, and specific ciphertext data, first key ciphertext, and signature data may be located in the hybrid data file according to these information.
The ciphertext data is a specific and encrypted data block, and the storage position is stored according to the specified offset and length in the data information. The first key ciphertext is a data block of the particular encrypted first key. The signature data is obtained by performing one-way secure hash (such as SHA algorithm) on all data (namely the data block in step S2) from the beginning of the file header information to the end of the first key ciphertext, and then encrypting the data by using the trusted boot private key. The length of the signature information field is fixed, and the region allocated by the type, the offset and the length is fixed, so that the storage space of the field can be reserved, and after the signature data is calculated, the offset and the length data are written into the corresponding storage space of the signature information field.
In the embodiment, the data security is further ensured by encrypting through the double keys, meanwhile, the information in the mixed data is increased, and the data leakage is further prevented by improving the cracking difficulty of the mixed data.
EXAMPLE III
This embodiment is a further development of the above-described embodiment.
In this embodiment, a trusted boot technology is used in the boot process of the embedded device, that is, a program or system loaded at each stage in the boot process is subjected to signature verification before loading and running, if the verification is passed, the system runs, otherwise, the execution is rejected, and based on the technology, if the embedded system is flushed with malicious firmware, the right to use the key stored in the OTP fuse area can be obtained, so that the ciphertext data is decrypted, and data leakage is caused.
The process of successfully starting the signature verification at each stage after the whole device is powered on and started is shown in fig. 6:
(1) loading, checking and starting a trusted root program of the on-chip non-tampered ROM area;
(2) loading verification and starting a first-level boot loader;
(3) loading, checking and starting a safe operating system;
(4) the secure operating system allocates two memory blocks to be exclusive to the trusted area (used for storing the decrypted first secret key and the plaintext data respectively);
(5) the safety operating system loads and checks the mixed data;
(6) the secure operating system runs a data decryption module, namely the data decryption part in the second embodiment, and the whole decryption process is performed in a trusted area of the embedded device;
(7) respectively storing the first key and the plaintext data into two memory blocks in the secure memory;
(8) clearing a memory block storing a first key and releasing the memory block;
(9) loading verification and starting a second-level boot loader;
the load checks in the r and starts the normal operating system.
Therefore, no matter the data is stored in the FLASH or is finally loaded into the secure memory, the data cannot be accessed in an unauthorized mode, and the risk of data leakage is prevented.
Example four
The present embodiment is a computer-readable storage medium corresponding to the above-mentioned embodiments, on which a computer program is stored, which when executed by a processor, performs the steps of:
encrypting plaintext data to be encrypted by using an encryption key to obtain ciphertext data;
obtaining a data block in a preset format according to the ciphertext data, and signing the data block by using a trusted starting private key to obtain signature data;
obtaining mixed data according to the data block and the signature data;
injecting the encryption key into a fuse area;
after the safe operating system is started, configuring a safe storage area;
the security operating system acquires the mixed data and uses a trusted starting public key to carry out signature verification on the mixed data;
if the verification is passed, obtaining an encryption key from the fuse area;
and analyzing the mixed data, decrypting the ciphertext data in the data block of the mixed data by using the encryption key to obtain plaintext data, and storing the plaintext data in the safe storage area.
Further, the plaintext data to be encrypted is encrypted by using the encryption key to obtain ciphertext data; obtaining a data block in a preset format according to the ciphertext data, and signing the data block by using a trusted starting private key to obtain signature data, wherein the steps of:
generating, by a random number generator, an encryption key, the encryption key comprising a first key and a second key;
encrypting plaintext data to be encrypted by using the first key to obtain ciphertext data;
encrypting the first key by using the second key to obtain an encrypted first key;
and synthesizing the ciphertext data and the encrypted first key according to a preset format to obtain a data block, and signing the data block by using a trusted starting private key to obtain signature data.
Further, the "injecting the encryption key into the fuse area" is specifically:
and injecting the second key into the fuse area through a key injection tool.
Further, the secure storage area includes a first memory block and a second memory block;
the "obtain encryption key from fuse area; analyzing the mixed data, decrypting ciphertext data in a data block of the mixed data by using the encryption key to obtain plaintext data, and storing the plaintext data in the secure storage area specifically include:
the security operating system acquires a second key from the fuse area;
analyzing the data block of the mixed data to obtain ciphertext data and an encrypted first key;
decrypting the encrypted first key by using the second key to obtain a first key, and storing the first key in a second memory block;
and decrypting the ciphertext data by using the first key to obtain plaintext data, and storing the plaintext data in a first memory block.
Further, after the storing the plaintext data in the first memory block, the method further includes:
and emptying and releasing the second memory block.
Further, after the "injecting the encryption key into the fuse region", the method further includes:
injecting a trusted boot public key into a fuse area through a key injection tool;
and storing the mixed data to a Flash area through a burning tool.
Further, the step of acquiring, by the secure operating system, the mixed data and performing signature verification on the mixed data by using the trusted boot public key specifically includes:
the secure operating system acquires a trusted boot public key;
decrypting the signature data in the mixed data by using the trusted starting public key to obtain a first abstract;
performing abstract operation on the data blocks in the mixed data to obtain a second abstract value;
and if the first abstract value is consistent with the second abstract value, judging that the verification is passed.
In summary, according to the data leakage prevention method and the computer-readable storage medium provided by the present invention, the data to be protected is processed by the cryptographic technique to generate a formatted mixed data file, a part of the common memory area is configured as the trusted area exclusive-use secure memory area by the trustzone authority during the operation, and the data is analyzed to the corresponding secure memory area by the cryptographic technique, so that the program in the non-trusted environment cannot snoop the data in the secure memory, and can only use the data in the trusted environment by indirectly requesting the trustzone, thereby ensuring that the data in the whole process cannot be leaked out; the data security is further ensured by encrypting through the double keys; the security of the encryption key is further ensured by storing the encryption key in the fuse area; the invention can effectively prevent the data from leaking from static storage to dynamic operation under the condition of not using a special safe flash or a special safe RAM.
The above description is only an embodiment of the present invention, and is not intended to limit the scope of the present invention, and all equivalent modifications made by the present invention and the contents of the accompanying drawings, which are directly or indirectly applied to the related technical fields, are included in the scope of the present invention.
Claims (7)
1. A trustzone-based data leakage prevention method is characterized by comprising the following steps:
encrypting plaintext data to be encrypted by using an encryption key to obtain ciphertext data;
obtaining a data block in a preset format according to the ciphertext data, and signing the data block by using a trusted starting private key to obtain signature data;
obtaining mixed data according to the data block and the signature data;
injecting the encryption key into a fuse area;
after the safe operating system is started, configuring a safe storage area;
the security operating system acquires the mixed data and uses a trusted starting public key to carry out signature verification on the mixed data;
if the verification is passed, obtaining an encryption key from the fuse area;
analyzing the mixed data, decrypting ciphertext data in a data block of the mixed data by using the encryption key to obtain plaintext data, and storing the plaintext data in the safe storage area;
the encryption key is used for encrypting plaintext data to be encrypted to obtain ciphertext data; obtaining a data block in a preset format according to the ciphertext data, and signing the data block by using a trusted starting private key to obtain signature data, wherein the steps of:
generating, by a random number generator, an encryption key, the encryption key comprising a first key and a second key;
encrypting plaintext data to be encrypted by using the first key to obtain ciphertext data;
encrypting the first key by using the second key to obtain an encrypted first key;
and synthesizing the ciphertext data and the encrypted first key according to a preset format to obtain a data block, and signing the data block by using a trusted starting private key to obtain signature data.
2. The trustzone-based data leakage prevention method according to claim 1, wherein the "injecting the encryption key into the fuse area" is specifically:
and injecting the second key into the fuse area through a key injection tool.
3. The trustzone-based data leakage prevention method as recited in claim 2, wherein the secure storage area comprises a first memory block and a second memory block;
the "obtain encryption key from fuse area; analyzing the mixed data, decrypting ciphertext data in a data block of the mixed data by using the encryption key to obtain plaintext data, and storing the plaintext data in the secure storage area specifically include:
the safety operating system acquires a second key from the fuse area;
analyzing the data block of the mixed data to obtain ciphertext data and an encrypted first key;
decrypting the encrypted first key by using the second key to obtain a first key, and storing the first key in a second memory block;
and decrypting the ciphertext data by using the first key to obtain plaintext data, and storing the plaintext data in a first memory block.
4. The trustzone-based data leakage prevention method as recited in claim 3, wherein after storing the plaintext data to a first memory block, further comprising:
and emptying and releasing the second memory block.
5. The trustzone-based data leakage prevention method as recited in claim 1, wherein after the "injecting the encryption key into a fuse area", further comprising:
injecting a trusted boot public key into a fuse area through a key injection tool;
and storing the mixed data to a Flash area through a burning tool.
6. The trustzone-based data leakage prevention method according to claim 1, wherein the "secure operating system obtains the hybrid data and performs signature verification on the hybrid data using a trusted boot public key" specifically includes:
the secure operating system obtains a trusted boot public key;
decrypting the signature data in the mixed data by using the trusted starting public key to obtain a first digest value;
performing abstract operation on the data blocks in the mixed data to obtain a second abstract value;
and if the first abstract value is consistent with the second abstract value, judging that the verification is passed.
7. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710939959.5A CN109657479B (en) | 2017-10-11 | 2017-10-11 | Data leakage prevention method and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710939959.5A CN109657479B (en) | 2017-10-11 | 2017-10-11 | Data leakage prevention method and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109657479A CN109657479A (en) | 2019-04-19 |
| CN109657479B true CN109657479B (en) | 2023-03-28 |
Family
ID=66108815
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710939959.5A Active CN109657479B (en) | 2017-10-11 | 2017-10-11 | Data leakage prevention method and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109657479B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110166224B (en) * | 2019-06-20 | 2022-03-29 | 大连海事大学 | VDES electronic chart data online updating and protecting method |
| CN110995685B (en) * | 2019-11-26 | 2022-07-19 | 中国银联股份有限公司 | Data encryption and decryption method, device, system and storage medium |
| CN111628966B (en) * | 2020-04-17 | 2021-09-24 | 支付宝(杭州)信息技术有限公司 | Data transmission method, system and device and data authorization method, system and device |
| CN111581654B (en) * | 2020-05-08 | 2023-10-24 | 苏州深信达网络科技有限公司 | Method for amplifying performance of encryption chip |
| CN112395627A (en) * | 2020-11-20 | 2021-02-23 | 深圳麦风科技有限公司 | Encryption and decryption method, device and storage medium |
| CN112687318B (en) * | 2020-12-31 | 2023-07-25 | 乐鑫信息科技(上海)股份有限公司 | Fuse reading method, controller and chip for resisting data tampering and template attack |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101488856A (en) * | 2008-01-17 | 2009-07-22 | 株式会社日立制作所 | System and method for digital signatures and authentication |
| CN102123031A (en) * | 2009-12-23 | 2011-07-13 | 英特尔公司 | Hardware attestation techniques |
| CN103617399A (en) * | 2013-11-06 | 2014-03-05 | 北京深思数盾科技有限公司 | Data file protecting method and device |
| CN106453430A (en) * | 2016-12-16 | 2017-02-22 | 北京瑞卓喜投科技发展有限公司 | Method and device for verifying encrypted data transmission paths |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8892855B2 (en) * | 2010-08-10 | 2014-11-18 | Maxlinear, Inc. | Encryption keys distribution for conditional access software in TV receiver SOC |
| US9753796B2 (en) * | 2013-12-06 | 2017-09-05 | Lookout, Inc. | Distributed monitoring, evaluation, and response for multiple devices |
-
2017
- 2017-10-11 CN CN201710939959.5A patent/CN109657479B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101488856A (en) * | 2008-01-17 | 2009-07-22 | 株式会社日立制作所 | System and method for digital signatures and authentication |
| CN102123031A (en) * | 2009-12-23 | 2011-07-13 | 英特尔公司 | Hardware attestation techniques |
| CN103617399A (en) * | 2013-11-06 | 2014-03-05 | 北京深思数盾科技有限公司 | Data file protecting method and device |
| CN106453430A (en) * | 2016-12-16 | 2017-02-22 | 北京瑞卓喜投科技发展有限公司 | Method and device for verifying encrypted data transmission paths |
Non-Patent Citations (1)
| Title |
|---|
| 基于USB Key的安全增强密钥生成方案;赵波等;《计算机工程与应用》;20170523(第10期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109657479A (en) | 2019-04-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109657479B (en) | Data leakage prevention method and computer readable storage medium | |
| CN109858265B (en) | Encryption method, device and related equipment | |
| JP4689946B2 (en) | A system that executes information processing using secure data | |
| JP4689945B2 (en) | Resource access method | |
| KR101393307B1 (en) | Secure boot method and semiconductor memory system for using the method | |
| AU2009233685B2 (en) | Method and apparatus for incremental code signing | |
| CN111723383B (en) | Data storage and verification method and device | |
| US8250373B2 (en) | Authenticating and verifying an authenticable and verifiable module | |
| CN107430658B (en) | Security software certification and verifying | |
| US20110289294A1 (en) | Information processing apparatus | |
| KR20040094724A (en) | Multi-token seal and unseal | |
| US20080010686A1 (en) | Confidential Information Processing Device | |
| CN108199827B (en) | Client code integrity checking method, storage medium, electronic device and system | |
| CN112417422A (en) | Security chip upgrading method and computer readable storage medium | |
| CN109784072B (en) | Security file management method and system | |
| CN115062330A (en) | TPM-based intelligent cipher key and cipher application interface realization method | |
| Jacob et al. | faultpm: Exposing amd ftpms’ deepest secrets | |
| CN107609405B (en) | External secure memory device and system-on-chip SOC | |
| Plappert et al. | Evaluating the applicability of hardware trust anchors for automotive applications | |
| CN117556430B (en) | Safe starting method, device, equipment and storage medium | |
| CN115694790B (en) | Digital asset evidence-storing method, device, equipment and medium based on quantum security | |
| CN117009926A (en) | Software authorization method, device and medium | |
| US20220400004A1 (en) | Generating keys | |
| CN115292727A (en) | TrustZone-based root file system encryption method, device, equipment and storage medium | |
| CN116938463A (en) | Application running environment credibility detection method, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |